Auger tested both Web-based and local RSS readers and found both types to be ripe platforms for malicious users to exploit with code injection that could steal users’ credentials, cookies, keystrokes and other information.

There are two principal approaches for hackers to take advantage of RSS. The first is that the feed owner is malicious and injects the code into their own feed directly. In Auger’s view that’s not the most popular use case.

Augur suggested that rather than defacing a Web site, a hacker could inject an attack into the feed. In such a scenario, the attacker then “owns” all of the site’s subscribers as well.

It’s the delivery potential of RSS that makes it so potentially harmful. It’s an attack vector that has the potential to affect thousands of people at a time based on the popularity of the compromised feed.

Web-based readers are particularly vulnerable to a variety of attacks including SQL Injection, command execution and denial of service.